cPanel Exim Vulnerability: How to Protect Yourself
cPanel have recently reported a critical EXIM vulnerability: CVE-2019-10149. So, we’re getting you up to speed on what this means for you and how you can protect yourself against this threat.
What is the vulnerability?
The vulnerability is an exploit in Exim versions 4.87 to 4.91, which allows attackers to remotely execute commands as the root user.
How do I protect against it?
Firstly, if you’re on version 80 in Web Host Manager (WHM) then no further action is needed as the vulnerability does not affect this newer version.
For versions 78, 76 and 70, cPanel have released updates so you need to check if your version has been patched. To do so, you can run the command rpm -q exim on your server via SSH.
If you see something like below, or if you see Exim version 4.92+, then you’re patched:
For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64
For Version 70 and 76: exim-4.91-4.cp1170.x86_64
Although cPanel have patched this on versions 76 and 70, these are end of life and it has been confirmed that no further updates will be released. So for best practice, and to ensure you can patch your systems in the future, upgrade to the latest version now.
Easy Apache
If you’re still using Easy Apache 3, this will prevent you from upgrading to version 76 and above. First, you need to migrate to Easy Apache 4.
You can see if you’re on Easy Apache 3 by logging into your WHM panel. You will see a similar notice to the one below.
What do you need to check before updating?
As Easy Apache 4 only supports PHP 5.4+ and Apache 2.4, you need to ensure that your sites are compatible. Since everything below PHP 7.2 is end of life, or in maintenance, they should be compatible. But you can check using these links:
https://documentation.cpanel.net/display/EA4/Apache
https://documentation.cpanel.net/display/EA4/PHP+Home
How do you update?
Once you’ve checked compatibility, we recommend you save your current Easy Apache3 profile before migrating from Easy Apache3 to 4 using the Easy Apache 4 migration tool in WHM. Once the migration from Easy Apache3 to 4 is complete, then you can upgrade your WHM version.
You may get an error at this stage saying the upgrade is blocked. You will need to edit your /etc/cpupdate.conf to, for example:
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
Once you have completed this update (upcp), set this back to the following:
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
Security recommendations
Part of this vulnerability means some people have been infected with a Crypto coinminer. In order to check and protect yourself against this threat, please see below recommendations:
- Look for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from existing backups.
- Delete the authorized key used for SSH backdoor access.
- Kill the coinminer process and delete the coinminer.
- Check your firewall and access logs for the following hostnames:
https://an7kmd2wp4xo7hpr.tor2web.su
https://an7kmd2wp4xo7hpr.tor2web.io
https://an7kmd2wp4xo7hpr.onion.sh
- Re-image any compromised servers.
If you’re concerned your server may be compromised, you may need to carry out a compromise investigation by arranging this through your account manager or seeking help from an external cybersecurity organisation.
Support with your updates
If you need any more guidance on how to update, please don’t hesitate to contact the UKFast support team on 0800 923 0605 – we’re here to help!
We provide the highest level of customer support in our industry, meaning you won’t find a provider with the same level of support anywhere else.